From ed045711a75bf693506c1a0759bca50fa92849e1 Mon Sep 17 00:00:00 2001 From: Subhajit Ray Date: Fri, 4 Aug 2023 15:13:39 -0700 Subject: [PATCH 1/3] Add support for new states in RSC configuration. --- .../GetMgBetaChatRscConfiguration_Get.cs | 13 +- .../GetMgBetaTeamRscConfiguration_Get.cs | 12 +- ...tPermissionGrantPolicyCollectionRequest.cs | 58 ++++++ .../MicrosoftGraphRscConfigurationState.cs | 12 +- .../custom/RscConfigurationSynthesizer.cs | 172 +++++++++++++++--- .../SetMgBetaChatRscConfiguration_Update.cs | 77 ++++---- .../SetMgBetaTeamRscConfiguration_Update.cs | 126 +++++++------ src/Teams/beta/custom/Teams.cs | 26 +++ .../MGTeamsInternalPermissionGrantPolicy.cs | 72 ++++++++ ...InternalPermissionGrantPolicyCollection.cs | 47 +++++ 10 files changed, 491 insertions(+), 124 deletions(-) create mode 100644 src/Teams/beta/custom/HttpRequests/GetPermissionGrantPolicyCollectionRequest.cs create mode 100644 src/Teams/beta/custom/TeamsInternalModels/MGTeamsInternalPermissionGrantPolicy.cs create mode 100644 src/Teams/beta/custom/TeamsInternalModels/MGTeamsInternalPermissionGrantPolicyCollection.cs diff --git a/src/Teams/beta/custom/GetMgBetaChatRscConfiguration_Get.cs b/src/Teams/beta/custom/GetMgBetaChatRscConfiguration_Get.cs index c58ece840d4..0d36d60f852 100644 --- a/src/Teams/beta/custom/GetMgBetaChatRscConfiguration_Get.cs +++ b/src/Teams/beta/custom/GetMgBetaChatRscConfiguration_Get.cs @@ -237,6 +237,13 @@ protected override void ProcessRecord() { await ((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Signal(Microsoft.Graph.Beta.PowerShell.Runtime.Events.CmdletBeforeAPICall); if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } + MGTeamsInternalPermissionGrantPolicyCollection permissionGrantPolicyCollection = + await this.Client.GetPermissionGrantPolicies(selectQuery: "id, resourceScopeType", eventListener: this, sender: this.Pipeline); + + WriteVerbose($"Fetched permission grant policies for tenant."); + + if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } + // Get Teams App Settings Models.IMicrosoftGraphTeamsAppSettings teamsAppSettings = await this.Client.GetTeamsAppSettings(this, Pipeline); @@ -253,7 +260,11 @@ protected override void ProcessRecord() RscConfigurationSynthesizer rscConfigurationConverter = new RscConfigurationSynthesizer(); Models.IMicrosoftGraphRscConfiguration microsoftGraphRscConfiguration = - rscConfigurationConverter.ConvertToChatRscConfiguration(teamsAppSettings, authorizationPolicy, this); + rscConfigurationConverter.ConvertToChatRscConfiguration( + permissionGrantPolicyCollection: permissionGrantPolicyCollection, + teamsAppSettings: teamsAppSettings, + authorizationPolicy: authorizationPolicy, + eventListener: this); WriteObject(microsoftGraphRscConfiguration); diff --git a/src/Teams/beta/custom/GetMgBetaTeamRscConfiguration_Get.cs b/src/Teams/beta/custom/GetMgBetaTeamRscConfiguration_Get.cs index f645223d70b..fdd103772a9 100644 --- a/src/Teams/beta/custom/GetMgBetaTeamRscConfiguration_Get.cs +++ b/src/Teams/beta/custom/GetMgBetaTeamRscConfiguration_Get.cs @@ -237,6 +237,11 @@ protected override void ProcessRecord() { await ((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Signal(Microsoft.Graph.Beta.PowerShell.Runtime.Events.CmdletBeforeAPICall); if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } + MGTeamsInternalPermissionGrantPolicyCollection permissionGrantPolicyCollection = + await this.Client.GetPermissionGrantPolicies(selectQuery: "id, resourceScopeType", eventListener: this, sender: this.Pipeline); + + WriteVerbose($"Fetched permission grant policies for tenant."); + // Get Group consent settings MGTeamsInternalTenantConsentSettingsCollection tenantConsentSettingCollection = await this.Client.GetTenantConsentSettings(this, Pipeline); @@ -252,8 +257,11 @@ protected override void ProcessRecord() if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } RscConfigurationSynthesizer rscConfigurationConverter = new RscConfigurationSynthesizer(); - Models.IMicrosoftGraphRscConfiguration microsoftGraphRscConfiguration = - rscConfigurationConverter.ConvertToTeamRscConfiguration(tenantConsentSettingCollection, authorizationPolicy, this); + Models.IMicrosoftGraphRscConfiguration microsoftGraphRscConfiguration = rscConfigurationConverter.ConvertToTeamRscConfiguration( + permissionGrantPolicyCollection, + tenantConsentSettingCollection, + authorizationPolicy, + this); WriteObject(microsoftGraphRscConfiguration); diff --git a/src/Teams/beta/custom/HttpRequests/GetPermissionGrantPolicyCollectionRequest.cs b/src/Teams/beta/custom/HttpRequests/GetPermissionGrantPolicyCollectionRequest.cs new file mode 100644 index 00000000000..74f5faa2cd5 --- /dev/null +++ b/src/Teams/beta/custom/HttpRequests/GetPermissionGrantPolicyCollectionRequest.cs @@ -0,0 +1,58 @@ +using System.Text; + +namespace Microsoft.Graph.Beta.PowerShell.TeamsInternal.Requests +{ + /// + /// Request to get all permission grant policies in the tenant. + /// + internal class GetPermissionGrantPolicyCollectionRequest : TeamsHttpRequest + { + /// + /// Select query. + /// + private readonly string selectQuery; + + /// + /// Initializes a new instance of the class. + /// + /// The service principal Id. + internal GetPermissionGrantPolicyCollectionRequest(string selectQuery) + { + this.selectQuery = selectQuery; + } + + /// + /// Gets the Http method for the request. + /// + /// The http method. + protected override System.Net.Http.HttpMethod GetHttpMethod() + { + return Runtime.Method.Get; + } + + /// + /// Gets the base url for the request. + /// + /// string containing the base url. + protected override string GetBaseUrl() + { + StringBuilder sb = new StringBuilder(); + sb.Append("https://graph.microsoft.com/beta/policies/permissiongrantpolicies"); + if (this.selectQuery != null) + { + sb.Append($"?$select={this.selectQuery}"); + } + + return sb.ToString(); + } + + /// + /// Gets the body of the request as a string. + /// + /// The body. + protected override string GetBodyAsString() + { + return null; + } + } +} diff --git a/src/Teams/beta/custom/MicrosoftGraphRscConfigurationState.cs b/src/Teams/beta/custom/MicrosoftGraphRscConfigurationState.cs index 2b480a640f9..b4a4488121c 100644 --- a/src/Teams/beta/custom/MicrosoftGraphRscConfigurationState.cs +++ b/src/Teams/beta/custom/MicrosoftGraphRscConfigurationState.cs @@ -21,6 +21,16 @@ public enum MicrosoftGraphRscConfigurationState /// /// Enabled for all apps. /// - EnabledForAllApps + EnabledForAllApps, + + /// + /// Enabled for selected group of users. + /// + EnabledForSelectedGroupOfUsers, + + /// + /// Custom configuration not understood by the sdk. + /// + Custom } } \ No newline at end of file diff --git a/src/Teams/beta/custom/RscConfigurationSynthesizer.cs b/src/Teams/beta/custom/RscConfigurationSynthesizer.cs index 16eeccdd8d1..6ac37bf19c2 100644 --- a/src/Teams/beta/custom/RscConfigurationSynthesizer.cs +++ b/src/Teams/beta/custom/RscConfigurationSynthesizer.cs @@ -1,7 +1,9 @@ namespace Microsoft.Graph.Beta.PowerShell.TeamsInternal { using System; + using System.Collections.Generic; using System.Linq; + using Microsoft.Graph.Beta.PowerShell.Cmdlets; using Microsoft.Graph.Beta.PowerShell.Models; using Microsoft.Graph.Beta.PowerShell.Models.TeamsInternal; using Microsoft.Graph.Beta.PowerShell.Runtime; @@ -21,6 +23,8 @@ internal class RscConfigurationSynthesizer internal const string EnableGroupSpecificConsentKey = "EnableGroupSpecificConsent"; + internal const string ConstrainGroupSpecificConsentToMembersOfGroupIdKey = "ConstrainGroupSpecificConsentToMembersOfGroupId"; + /// /// Initializes a new instance of the class. /// @@ -35,10 +39,18 @@ internal RscConfigurationSynthesizer() /// Authorization policy. /// The chat RSC configuration. internal MicrosoftGraphRscConfiguration ConvertToChatRscConfiguration( + MGTeamsInternalPermissionGrantPolicyCollection permissionGrantPolicyCollection, Models.IMicrosoftGraphTeamsAppSettings teamsAppSettings, MGTeamsInternalAuthorizationPolicy authorizationPolicy, Runtime.IEventListener eventListener) { + if (permissionGrantPolicyCollection?.Value == null) + { + throw new MGTeamsInternalException( + MGTeamsInternalErrorType.ResourceNotFound, + "Permission grant policies were not found."); + } + if (teamsAppSettings == null) { throw new MGTeamsInternalException( @@ -56,21 +68,46 @@ internal MicrosoftGraphRscConfiguration ConvertToChatRscConfiguration( MicrosoftGraphRscConfiguration microsoftGraphRscConfiguration = new MicrosoftGraphRscConfiguration { Id = "ChatResourceSpecificPermissionConfiguration", - ScopeType = MicrosoftGraphRscConfigurationScopeType.Chat + ScopeType = MicrosoftGraphRscConfigurationScopeType.Chat, + State = MicrosoftGraphRscConfigurationState.Custom }; + IEnumerable assignedPermissionGrantPoliciesApplicableToChatScope = + this.GetAssignedPermissionGrantPoliciesApplicableToGivenScopeType( + permissionGrantPolicyCollection, + authorizationPolicy, + MicrosoftGraphRscConfigurationScopeType.Chat); + if (teamsAppSettings.IsChatResourceSpecificConsentEnabled == true) { - this.LogVerbose("Chat RSC is enabled in Teams App Settings.", eventListener); - microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForAllApps; + if (assignedPermissionGrantPoliciesApplicableToChatScope.Any()) + { + this.LogVerbose( + "Chat RSC is enabled in Teams App Settings and chat scoped permission grant policies are enabled. Not a supported scenario.", + eventListener); + microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom; + } + else + { + this.LogVerbose("Chat RSC is enabled in Teams App Settings.", eventListener); + microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForAllApps; + } } - else if (authorizationPolicy - ?.DefaultUserRolePermissions - ?.PermissionGrantPoliciesAssigned - ?.Contains(RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForChatRscPreApproval, StringComparer.OrdinalIgnoreCase) == true) + else if (assignedPermissionGrantPoliciesApplicableToChatScope.Any()) { - this.LogVerbose("Authorization policy contains permission grant policy for chat RSC preapprovals.", eventListener); - microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly; + if (assignedPermissionGrantPoliciesApplicableToChatScope.Any(pgp => !string.Equals( + pgp.ManagePermissionGrantsForOwnedResourcePrefixedId, + RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForChatRscPreApproval, + StringComparison.OrdinalIgnoreCase))) + { + this.LogVerbose("Unknown chat scoped permission grant policies are enabled. Not a supported scenario.", eventListener); + microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom; + } + else + { + this.LogVerbose("Authorization policy contains permission grant policy for chat RSC preapprovals.", eventListener); + microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly; + } } else { @@ -88,11 +125,19 @@ internal MicrosoftGraphRscConfiguration ConvertToChatRscConfiguration( /// Authorization policy. /// Rsc configuration. internal IMicrosoftGraphRscConfiguration ConvertToTeamRscConfiguration( + MGTeamsInternalPermissionGrantPolicyCollection permissionGrantPolicyCollection, MGTeamsInternalTenantConsentSettingsCollection tenantConsentSettingCollection, MGTeamsInternalAuthorizationPolicy authorizationPolicy, Runtime.IEventListener eventListener) { - if (tenantConsentSettingCollection == null) + if (permissionGrantPolicyCollection?.Value == null) + { + throw new MGTeamsInternalException( + MGTeamsInternalErrorType.ResourceNotFound, + "Permission grant policies were not found."); + } + + if (tenantConsentSettingCollection?.Value == null) { throw new MGTeamsInternalException( MGTeamsInternalErrorType.ResourceNotFound, @@ -109,27 +154,56 @@ internal IMicrosoftGraphRscConfiguration ConvertToTeamRscConfiguration( MicrosoftGraphRscConfiguration microsoftGraphRscConfiguration = new MicrosoftGraphRscConfiguration { Id = "TeamResourceSpecificPermissionConfiguration", - ScopeType = MicrosoftGraphRscConfigurationScopeType.Team + ScopeType = MicrosoftGraphRscConfigurationScopeType.Team, + State = MicrosoftGraphRscConfigurationState.Custom }; - string projectedIsGroupConsentEnabledSettingValue = this.GetProjectedIsGroupConsentEnabledSettingValue( + (string isGroupConsentSettingEnabled, string groupConsentConstrainedToGroupId) projectedGroupConsentSettings = this.GetProjectedGroupConsentSettings( tenantConsentSettingCollection, authorizationPolicy, eventListener); - if (string.Equals(projectedIsGroupConsentEnabledSettingValue, true.ToString(), StringComparison.OrdinalIgnoreCase)) + IEnumerable assignedPermissionGrantPoliciesApplicableToGroupScope = + this.GetAssignedPermissionGrantPoliciesApplicableToGivenScopeType( + permissionGrantPolicyCollection, + authorizationPolicy, + MicrosoftGraphRscConfigurationScopeType.Team); + + if (string.Equals(projectedGroupConsentSettings.isGroupConsentSettingEnabled, true.ToString(), StringComparison.OrdinalIgnoreCase)) { - this.LogVerbose("Group consent setting value is enabled.", eventListener); - microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForAllApps; + if (assignedPermissionGrantPoliciesApplicableToGroupScope.Any()) + { + this.LogVerbose( + "Projected group consent setting value is enabled and group scoped permission grant policies are enabled. Not a supported scenario.", + eventListener); + microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom; + } + else if (string.IsNullOrWhiteSpace(projectedGroupConsentSettings.groupConsentConstrainedToGroupId)) + { + this.LogVerbose("Projected group consent setting value is enabled. No constraints on users able to grant consent.", eventListener); + microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForAllApps; + } + else + { + this.LogVerbose($"Projected group consent setting value is enabled. Consent is constrained to users belonging to group '{projectedGroupConsentSettings.groupConsentConstrainedToGroupId}'.", eventListener); + microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForSelectedGroupOfUsers; + } } - else if (authorizationPolicy - ?.DefaultUserRolePermissions - ?.PermissionGrantPoliciesAssigned - ?.Contains( - RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForTeamRscPreApproval, StringComparer.OrdinalIgnoreCase) == true) - { - this.LogVerbose("Authorization policy contains permission grant policy for team RSC preapprovals.", eventListener); - microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly; + else if (assignedPermissionGrantPoliciesApplicableToGroupScope.Any()) + { + if (assignedPermissionGrantPoliciesApplicableToGroupScope.Any(pgp => !string.Equals( + pgp.ManagePermissionGrantsForOwnedResourcePrefixedId, + RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForTeamRscPreApproval, + StringComparison.OrdinalIgnoreCase))) + { + this.LogVerbose("Unknown group scoped permission grant policies are enabled. Not a supported scenario.", eventListener); + microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom; + } + else + { + this.LogVerbose("Authorization policy contains permission grant policy for team RSC preapprovals.", eventListener); + microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly; + } } else { @@ -140,6 +214,44 @@ internal IMicrosoftGraphRscConfiguration ConvertToTeamRscConfiguration( return microsoftGraphRscConfiguration; } + internal IEnumerable GetAssignedPermissionGrantPoliciesApplicableToGivenScopeType( + MGTeamsInternalPermissionGrantPolicyCollection permissionGrantPolicyCollection, + MGTeamsInternalAuthorizationPolicy authorizationPolicy, + MicrosoftGraphRscConfigurationScopeType rscConfigurationScopeType) + { + string identitySpecificScopeType; + switch (rscConfigurationScopeType) + { + case MicrosoftGraphRscConfigurationScopeType.Team: + identitySpecificScopeType = "group"; + break; + + case MicrosoftGraphRscConfigurationScopeType.Chat: + identitySpecificScopeType = "chat"; + break; + + default: + throw new NotSupportedException(); + } + + IEnumerable assignedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions?.PermissionGrantPoliciesAssigned + ?? Enumerable.Empty(); + + List assignedPermissionGrantPoliciesApplicableToGivenScope = + new List(); + + foreach (MGTeamsInternalPermissionGrantPolicy permissionGrantPolicy in permissionGrantPolicyCollection.Value) + { + if (string.Equals(permissionGrantPolicy.ResourceScopeType, identitySpecificScopeType, StringComparison.OrdinalIgnoreCase) && + assignedPermissionGrantPolicies.Contains(permissionGrantPolicy.ManagePermissionGrantsForOwnedResourcePrefixedId)) + { + assignedPermissionGrantPoliciesApplicableToGivenScope.Add(permissionGrantPolicy); + } + } + + return assignedPermissionGrantPoliciesApplicableToGivenScope; + } + /// /// Get the projected value of IsGroupConsentEnabled. /// @@ -147,7 +259,7 @@ internal IMicrosoftGraphRscConfiguration ConvertToTeamRscConfiguration( /// The authorization policy. /// The event listener. /// Project value of IsGroupConsentEnabled. - private string GetProjectedIsGroupConsentEnabledSettingValue( + private (string isGroupConsentSettingEnabled, string groupConsentConstrainedToGroupId) GetProjectedGroupConsentSettings( MGTeamsInternalTenantConsentSettingsCollection tenantConsentSettingCollection, MGTeamsInternalAuthorizationPolicy authorizationPolicy, IEventListener eventListener) @@ -166,17 +278,21 @@ private string GetProjectedIsGroupConsentEnabledSettingValue( RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForUserConsentLegacy, StringComparer.OrdinalIgnoreCase) == true) { this.LogVerbose("Legacy policy for user consent was found in default user role permissions. Projecting group consent to be true.", eventListener); - return true.ToString(); + return (isGroupConsentSettingEnabled: true.ToString(), groupConsentConstrainedToGroupId: null); } - return false.ToString(); + return (isGroupConsentSettingEnabled: false.ToString(), groupConsentConstrainedToGroupId: null); } MGTeamsInternalTenantConsentSettingValue isGroupConsentEnabledSettingValue = groupConsentSettings.Values?.SingleOrDefault( v => string.Equals(v.Name, RscConfigurationSynthesizer.EnableGroupSpecificConsentKey, StringComparison.OrdinalIgnoreCase)); - string projectedIsGroupConsentEnabledSettingValue = isGroupConsentEnabledSettingValue?.Value; - return projectedIsGroupConsentEnabledSettingValue; + MGTeamsInternalTenantConsentSettingValue groupConsentConstrainedToGroupId = groupConsentSettings.Values?.SingleOrDefault( + v => string.Equals(v.Name, RscConfigurationSynthesizer.ConstrainGroupSpecificConsentToMembersOfGroupIdKey, StringComparison.OrdinalIgnoreCase)); + + return + (isGroupConsentSettingEnabled: isGroupConsentEnabledSettingValue?.Value, + groupConsentConstrainedToGroupId: groupConsentConstrainedToGroupId?.Value); } /// diff --git a/src/Teams/beta/custom/SetMgBetaChatRscConfiguration_Update.cs b/src/Teams/beta/custom/SetMgBetaChatRscConfiguration_Update.cs index ffd4dd8e0b0..0f5c31df52a 100644 --- a/src/Teams/beta/custom/SetMgBetaChatRscConfiguration_Update.cs +++ b/src/Teams/beta/custom/SetMgBetaChatRscConfiguration_Update.cs @@ -245,8 +245,25 @@ protected override void ProcessRecord() await ((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Signal(Microsoft.Graph.Beta.PowerShell.Runtime.Events.CmdletBeforeAPICall); if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } MGTeamsInternalAuthorizationPolicy authorizationPolicy = await this.Client.GetAuthorizationPolicy(eventListener: this, sender: Pipeline); + WriteVerbose($"PermissionGrantPolicies currently assigned to default user role: '{string.Join(", ", authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned)}'."); + if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } + + MGTeamsInternalPermissionGrantPolicyCollection permissionGrantPolicyCollection = + await this.Client.GetPermissionGrantPolicies(selectQuery: "id, resourceScopeType", eventListener: this, sender: this.Pipeline); + + WriteVerbose($"Fetched permission grant policies for tenant."); + + if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } + + RscConfigurationSynthesizer rscConfigurationSynthesizer = new RscConfigurationSynthesizer(); + IEnumerable assignedPermissionGrantPoliciesApplicableToChatScope = + rscConfigurationSynthesizer.GetAssignedPermissionGrantPoliciesApplicableToGivenScopeType( + permissionGrantPolicyCollection, + authorizationPolicy, + MicrosoftGraphRscConfigurationScopeType.Chat); + if (this.State == MicrosoftGraphRscConfigurationState.DisabledForAllApps) { // Disable chat RSC Teams Setting. @@ -260,36 +277,32 @@ await this.Client.UpdateTeamsAppSettings( if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } // Disable preapproval configs. - if (authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned.Contains(RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForChatRscPreApproval, StringComparer.OrdinalIgnoreCase)) - { - IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned.Except( - new string[] { RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForChatRscPreApproval }, - StringComparer.OrdinalIgnoreCase); - await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( - updatedPermissionGrantPolicies, - this, - Pipeline); + IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned + .Except(assignedPermissionGrantPoliciesApplicableToChatScope + .Select(p => p.ManagePermissionGrantsForOwnedResourcePrefixedId), StringComparer.OrdinalIgnoreCase); + await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( + updatedPermissionGrantPolicies, + this, + Pipeline); - WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); - } + WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } } else if (this.State == MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly) { // Enable preapproval configs. - if (!authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned.Contains(RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForChatRscPreApproval, StringComparer.OrdinalIgnoreCase)) - { - IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned.Union( - new string[] { RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForChatRscPreApproval }, - StringComparer.OrdinalIgnoreCase); - await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( - updatedPermissionGrantPolicies, - this, - Pipeline); - - WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); - } + IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned + .Except( + assignedPermissionGrantPoliciesApplicableToChatScope.Select(p => p.ManagePermissionGrantsForOwnedResourcePrefixedId), + StringComparer.OrdinalIgnoreCase) + .Union(new string[] { RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForChatRscPreApproval }, StringComparer.OrdinalIgnoreCase); + await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( + updatedPermissionGrantPolicies, + this, + Pipeline); + + WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } @@ -316,18 +329,16 @@ await this.Client.UpdateTeamsAppSettings( if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } // Disable preapproval configs. - if (authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned.Contains(RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForChatRscPreApproval, StringComparer.OrdinalIgnoreCase)) - { - IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned.Except( - new string[] { RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForChatRscPreApproval }, + IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned + .Except( + assignedPermissionGrantPoliciesApplicableToChatScope.Select(p => p.ManagePermissionGrantsForOwnedResourcePrefixedId), StringComparer.OrdinalIgnoreCase); - await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( - updatedPermissionGrantPolicies, - this, - Pipeline); + await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( + updatedPermissionGrantPolicies, + this, + Pipeline); - WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); - } + WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } } diff --git a/src/Teams/beta/custom/SetMgBetaTeamRscConfiguration_Update.cs b/src/Teams/beta/custom/SetMgBetaTeamRscConfiguration_Update.cs index 1ca63dad040..20d2c62b747 100644 --- a/src/Teams/beta/custom/SetMgBetaTeamRscConfiguration_Update.cs +++ b/src/Teams/beta/custom/SetMgBetaTeamRscConfiguration_Update.cs @@ -245,6 +245,7 @@ protected override void ProcessRecord() await ((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Signal(Microsoft.Graph.Beta.PowerShell.Runtime.Events.CmdletBeforeAPICall); if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } MGTeamsInternalAuthorizationPolicy authorizationPolicy = await this.Client.GetAuthorizationPolicy(eventListener: this, sender: Pipeline); + WriteVerbose($"PermissionGrantPolicies currently assigned to default user role: '{string.Join(", ", authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned)}'."); if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } @@ -252,8 +253,24 @@ protected override void ProcessRecord() MGTeamsInternalTenantConsentSettingsCollection tenantConsentSettingsCollection = await this.Client.GetTenantConsentSettings(eventListener: this, sender: Pipeline); + WriteVerbose($"Fetched tenant consent settings."); + if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } + MGTeamsInternalPermissionGrantPolicyCollection permissionGrantPolicyCollection = + await this.Client.GetPermissionGrantPolicies(selectQuery: "id, resourceScopeType", eventListener: this, sender: this.Pipeline); + + WriteVerbose($"Fetched permission grant policies for tenant."); + + if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } + + RscConfigurationSynthesizer rscConfigurationSynthesizer = new RscConfigurationSynthesizer(); + IEnumerable assignedPermissionGrantPoliciesApplicableToTeamScope = + rscConfigurationSynthesizer.GetAssignedPermissionGrantPoliciesApplicableToGivenScopeType( + permissionGrantPolicyCollection, + authorizationPolicy, + MicrosoftGraphRscConfigurationScopeType.Team); + if (this.State == MicrosoftGraphRscConfigurationState.DisabledForAllApps) { // Disable group consent setting. @@ -265,37 +282,34 @@ await this.AddOrUpdateGroupConsentSettings( if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } - // Disable preapproval configs. - if (authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned.Contains(RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForTeamRscPreApproval, StringComparer.OrdinalIgnoreCase)) - { - IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned.Except( - new string[] { RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForTeamRscPreApproval }, + // Disable preapproval/permission grant policies applicable to Teams. + IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned + .Except( + assignedPermissionGrantPoliciesApplicableToTeamScope.Select(p => p.ManagePermissionGrantsForOwnedResourcePrefixedId), StringComparer.OrdinalIgnoreCase); - await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( - updatedPermissionGrantPolicies, - this, - Pipeline); + await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( + updatedPermissionGrantPolicies, + this, + Pipeline); - WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); - } + WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } } else if (this.State == MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly) { // Enable preapproval configs. - if (!authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned.Contains(RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForTeamRscPreApproval, StringComparer.OrdinalIgnoreCase)) - { - IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned.Union( - new string[] { RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForTeamRscPreApproval }, - StringComparer.OrdinalIgnoreCase); - await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( - updatedPermissionGrantPolicies, - this, - Pipeline); - - WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); - } + IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned + .Except( + assignedPermissionGrantPoliciesApplicableToTeamScope.Select(p => p.ManagePermissionGrantsForOwnedResourcePrefixedId), + StringComparer.OrdinalIgnoreCase) + .Union(new string[] { RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForTeamRscPreApproval }, StringComparer.OrdinalIgnoreCase); + await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( + updatedPermissionGrantPolicies, + this, + Pipeline); + + WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } @@ -319,19 +333,17 @@ await this.AddOrUpdateGroupConsentSettings( if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } - // Disable preapproval configs. - if (authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned.Contains(RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForTeamRscPreApproval, StringComparer.OrdinalIgnoreCase)) - { - IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned.Except( - new string[] { RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForTeamRscPreApproval }, + // Disable preapproval/permission grant policies applicable to Teams. + IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned + .Except( + assignedPermissionGrantPoliciesApplicableToTeamScope.Select(p => p.ManagePermissionGrantsForOwnedResourcePrefixedId), StringComparer.OrdinalIgnoreCase); - await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( - updatedPermissionGrantPolicies, - this, - Pipeline); + await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( + updatedPermissionGrantPolicies, + this, + Pipeline); - WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); - } + WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } } @@ -401,7 +413,7 @@ private async System.Threading.Tasks.Task AddOrUpdateGroupConsentSettings( .Where(s => !string.Equals(s.Name, RscConfigurationSynthesizer.EnableGroupSpecificConsentKey)) .Union(new MGTeamsInternalTenantConsentSettingValue[] { - new MGTeamsInternalTenantConsentSettingValue(RscConfigurationSynthesizer.EnableGroupSpecificConsentKey, isGroupSpecificConsentEnabled.ToString()) + new MGTeamsInternalTenantConsentSettingValue(RscConfigurationSynthesizer.EnableGroupSpecificConsentKey, isGroupSpecificConsentEnabled.ToString().ToLowerInvariant()) }) .ToArray(); @@ -417,30 +429,26 @@ await this.Client.CreateGroupConsentSettings( // Modify only the group consent setting. MGTeamsInternalTenantConsentSettingValue isGroupConsentEnabledSettingValue = groupConsentSettings.Values.Single( v => string.Equals(v.Name, RscConfigurationSynthesizer.EnableGroupSpecificConsentKey, StringComparison.OrdinalIgnoreCase)); - if (!string.Equals(isGroupConsentEnabledSettingValue.Value, isGroupSpecificConsentEnabled.ToString(), StringComparison.OrdinalIgnoreCase)) - { - // Preserve existing values except for group consent setting. - MGTeamsInternalTenantConsentSettingValue[] updatedValues = - groupConsentSettings.Values - .Where(v => !string.Equals(v.Name, RscConfigurationSynthesizer.EnableGroupSpecificConsentKey, StringComparison.OrdinalIgnoreCase)) - .Union(new MGTeamsInternalTenantConsentSettingValue[] - { - new MGTeamsInternalTenantConsentSettingValue(RscConfigurationSynthesizer.EnableGroupSpecificConsentKey, isGroupSpecificConsentEnabled.ToString()) - }) - .ToArray(); - - await this.Client.UpdateGroupConsentSettings( - groupConsentSettings.Id, - updatedValues, - eventListener: this, - sender: Pipeline); - - WriteVerbose($"Updated group consent settings with values: '{string.Join(", ", updatedValues.Select(i => i.ToJson().ToString()))}'."); - } - else - { - WriteVerbose($"Group consent setting is already set to '{isGroupSpecificConsentEnabled}'."); - } + + // Preserve existing values except for group consent setting. + MGTeamsInternalTenantConsentSettingValue[] updatedValues = + groupConsentSettings.Values + .Where(v => !string.Equals(v.Name, RscConfigurationSynthesizer.EnableGroupSpecificConsentKey, StringComparison.OrdinalIgnoreCase) && + !string.Equals(v.Name, RscConfigurationSynthesizer.ConstrainGroupSpecificConsentToMembersOfGroupIdKey, StringComparison.OrdinalIgnoreCase)) + .Union(new MGTeamsInternalTenantConsentSettingValue[] + { + new MGTeamsInternalTenantConsentSettingValue(RscConfigurationSynthesizer.EnableGroupSpecificConsentKey, isGroupSpecificConsentEnabled.ToString().ToLowerInvariant()), + new MGTeamsInternalTenantConsentSettingValue(RscConfigurationSynthesizer.ConstrainGroupSpecificConsentToMembersOfGroupIdKey, string.Empty) + }) + .ToArray(); + + await this.Client.UpdateGroupConsentSettings( + groupConsentSettings.Id, + updatedValues, + eventListener: this, + sender: Pipeline); + + WriteVerbose($"Updated group consent settings with values: '{string.Join(", ", updatedValues.Select(i => i.ToJson().ToString()))}'."); } } diff --git a/src/Teams/beta/custom/Teams.cs b/src/Teams/beta/custom/Teams.cs index 08528bd3aef..a0ac58f2173 100644 --- a/src/Teams/beta/custom/Teams.cs +++ b/src/Teams/beta/custom/Teams.cs @@ -113,6 +113,32 @@ internal async System.Threading.Tasks.Task + /// Get permission grant policies in the tenant. + /// + /// The select query. + /// The event listener. + /// The http request sender. + /// Preapproval policy collection. + internal async System.Threading.Tasks.Task GetPermissionGrantPolicies( + string selectQuery, + Runtime.IEventListener eventListener, + Runtime.ISendAsync sender) + { + // Constant Parameters + using (NoSynchronizationContext) + { + GetPermissionGrantPolicyCollectionRequest request = + new GetPermissionGrantPolicyCollectionRequest(selectQuery); + + return await this.ExecuteHttpRequestAsync( + request, + json => MGTeamsInternalPermissionGrantPolicyCollection.FromJson(json), + eventListener, + sender); + } + } + /// /// Get resource specific permissions registered in Microsoft Graph. /// diff --git a/src/Teams/beta/custom/TeamsInternalModels/MGTeamsInternalPermissionGrantPolicy.cs b/src/Teams/beta/custom/TeamsInternalModels/MGTeamsInternalPermissionGrantPolicy.cs new file mode 100644 index 00000000000..2b1550503bd --- /dev/null +++ b/src/Teams/beta/custom/TeamsInternalModels/MGTeamsInternalPermissionGrantPolicy.cs @@ -0,0 +1,72 @@ +// Code generated by Microsoft (R) AutoRest Code Generator (autorest: 3.0.6306, generator: {generator}) +// Changes may cause incorrect behavior and will be lost if the code is regenerated. + +namespace Microsoft.Graph.Beta.PowerShell.Models.TeamsInternal +{ + using static Microsoft.Graph.Beta.PowerShell.Runtime.Extensions; + + /// + /// Teams internal model for a Permission Grant policy. + /// + internal class MGTeamsInternalPermissionGrantPolicy + { + /// + /// The Id of the policy + /// + internal string Id { get; set; } + + /// + /// Resource Scope type - group/chat. + /// + internal string ResourceScopeType { get; set; } + + /// + /// Prefix-attached id to match what's present in authorization policy. + /// + internal string ManagePermissionGrantsForOwnedResourcePrefixedId + { + get + { + return $"ManagePermissionGrantsForOwnedResource.{this.Id}"; + } + } + + /// + /// Deserializes a into an instance of MGTeamsInternalPermissionGrantPolicy. + /// + /// a to deserialize from. + /// an instance of MGTeamsInternalPermissionGrantPolicy. + internal static MGTeamsInternalPermissionGrantPolicy FromJson(Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonNode json) + { + Runtime.Json.JsonObject jsonObject = json as Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonObject; + return jsonObject == null + ? null + : new MGTeamsInternalPermissionGrantPolicy(jsonObject); + } + + /// + /// Initializes a new instance of the class. + /// + internal MGTeamsInternalPermissionGrantPolicy(Runtime.Json.JsonObject json) + { + string id = If(json.PropertyT("id"), out var jsonId) + ? (string)jsonId + : null; + + string resourceScopeType = If(json.PropertyT("resourceScopeType"), out var jsonResourceScopeType) + ? (string)jsonResourceScopeType + : null; + + this.SetProperties(id, resourceScopeType); + } + + /// + /// Initialize properties of this object. + /// + private void SetProperties(string id, string resourceScopeType) + { + this.Id = id; + this.ResourceScopeType = resourceScopeType; + } + } +} \ No newline at end of file diff --git a/src/Teams/beta/custom/TeamsInternalModels/MGTeamsInternalPermissionGrantPolicyCollection.cs b/src/Teams/beta/custom/TeamsInternalModels/MGTeamsInternalPermissionGrantPolicyCollection.cs new file mode 100644 index 00000000000..fb748ed34cd --- /dev/null +++ b/src/Teams/beta/custom/TeamsInternalModels/MGTeamsInternalPermissionGrantPolicyCollection.cs @@ -0,0 +1,47 @@ +// Code generated by Microsoft (R) AutoRest Code Generator (autorest: 3.0.6306, generator: {generator}) +// Changes may cause incorrect behavior and will be lost if the code is regenerated. + +namespace Microsoft.Graph.Beta.PowerShell.Models.TeamsInternal +{ + using System; + using System.Collections.Generic; + using System.Linq; + using static Microsoft.Graph.Beta.PowerShell.Runtime.Extensions; + + /// + /// Teams internal model for permission grant policy collection. + /// + internal class MGTeamsInternalPermissionGrantPolicyCollection + { + /// + /// Collection of policies. + /// + internal IEnumerable Value { get; private set; } + + /// + /// Deserializes a into an instance of MGTeamsInternalPermissionGrantPreApprovalPolicyCollection. + /// + /// a to deserialize from. + /// an instance of MGTeamsInternalPermissionGrantPreApprovalPolicyCollection. + internal static MGTeamsInternalPermissionGrantPolicyCollection FromJson(Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonNode jsonNode) + { + Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonObject jsonObject = jsonNode as Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonObject; + return jsonObject == null + ? null + : new MGTeamsInternalPermissionGrantPolicyCollection(jsonObject); + } + + /// + /// Initializes a new instance of the class. + /// + internal MGTeamsInternalPermissionGrantPolicyCollection(Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonObject json) + { + this.Value = If(json.PropertyT("value"), out var jsonValue) + ? jsonValue + .Where(j => j is Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonObject) + .Select(j => MGTeamsInternalPermissionGrantPolicy.FromJson((Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonObject)j)) + .ToArray() + : Array.Empty(); + } + } +} \ No newline at end of file From 98bcb7cab217394da2c1808c7229da38b40dc861 Mon Sep 17 00:00:00 2001 From: Subhajit Ray Date: Fri, 4 Aug 2023 15:55:38 -0700 Subject: [PATCH 2/3] Add doc comments. --- .../beta/custom/RscConfigurationSynthesizer.cs | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/Teams/beta/custom/RscConfigurationSynthesizer.cs b/src/Teams/beta/custom/RscConfigurationSynthesizer.cs index 6ac37bf19c2..b7fac2186c5 100644 --- a/src/Teams/beta/custom/RscConfigurationSynthesizer.cs +++ b/src/Teams/beta/custom/RscConfigurationSynthesizer.cs @@ -35,8 +35,10 @@ internal RscConfigurationSynthesizer() /// /// Convert the given settings and policy to Chat RSC configuration. /// + /// The permission grant policy collection. /// Teams app settings. /// Authorization policy. + /// The event listener. /// The chat RSC configuration. internal MicrosoftGraphRscConfiguration ConvertToChatRscConfiguration( MGTeamsInternalPermissionGrantPolicyCollection permissionGrantPolicyCollection, @@ -121,6 +123,7 @@ internal MicrosoftGraphRscConfiguration ConvertToChatRscConfiguration( /// /// Convert the given tenant settings to Team RSC configuration. /// + /// Permission grant policy collection. /// Tenant consent setting collection. /// Authorization policy. /// Rsc configuration. @@ -214,6 +217,13 @@ internal IMicrosoftGraphRscConfiguration ConvertToTeamRscConfiguration( return microsoftGraphRscConfiguration; } + /// + /// Get permission grant policies assigned to default user role (all users and apps) which are relevant to the given scope. + /// + /// The permission grant policy collection. + /// The authorization policy. + /// The rsc config scope type. + /// List of policies. internal IEnumerable GetAssignedPermissionGrantPoliciesApplicableToGivenScopeType( MGTeamsInternalPermissionGrantPolicyCollection permissionGrantPolicyCollection, MGTeamsInternalAuthorizationPolicy authorizationPolicy, @@ -253,12 +263,14 @@ internal IEnumerable GetAssignedPermission } /// - /// Get the projected value of IsGroupConsentEnabled. + /// Get the projected value of group consent settings. i.e. + /// 1. Whether group consent is enabled. This is derived from group consent and user consent settings. + /// 2. Specific groups that group consent is restricted to. /// /// Tenant consent setting collection. /// The authorization policy. /// The event listener. - /// Project value of IsGroupConsentEnabled. + /// Projected value of group consent settings. private (string isGroupConsentSettingEnabled, string groupConsentConstrainedToGroupId) GetProjectedGroupConsentSettings( MGTeamsInternalTenantConsentSettingsCollection tenantConsentSettingCollection, MGTeamsInternalAuthorizationPolicy authorizationPolicy, From 6250ed217a93fdbb2ca7b4280676ee0261260482 Mon Sep 17 00:00:00 2001 From: Subhajit Ray Date: Mon, 7 Aug 2023 13:53:06 -0700 Subject: [PATCH 3/3] Comments. --- .../SetMgBetaChatRscConfiguration_Update.cs | 19 ++++++++++--------- .../SetMgBetaTeamRscConfiguration_Update.cs | 19 ++++++++++--------- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/src/Teams/beta/custom/SetMgBetaChatRscConfiguration_Update.cs b/src/Teams/beta/custom/SetMgBetaChatRscConfiguration_Update.cs index 0f5c31df52a..d1ac10a48ac 100644 --- a/src/Teams/beta/custom/SetMgBetaChatRscConfiguration_Update.cs +++ b/src/Teams/beta/custom/SetMgBetaChatRscConfiguration_Update.cs @@ -276,22 +276,23 @@ await this.Client.UpdateTeamsAppSettings( if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } - // Disable preapproval configs. - IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned + // Remove all permission grant policies assigned to default user role permissions which are relevant to chat scope. + IEnumerable existingPermissionGrantPoliciesExceptChatScopePolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned .Except(assignedPermissionGrantPoliciesApplicableToChatScope .Select(p => p.ManagePermissionGrantsForOwnedResourcePrefixedId), StringComparer.OrdinalIgnoreCase); await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( - updatedPermissionGrantPolicies, + existingPermissionGrantPoliciesExceptChatScopePolicies, this, Pipeline); - WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); + WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", existingPermissionGrantPoliciesExceptChatScopePolicies)}'."); if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } } else if (this.State == MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly) { - // Enable preapproval configs. + // Remove all permission grant policies assigned to default user role permissions which are relevant to chat scope and add + // Microsoft created.policy enabling pre-approvals. IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned .Except( assignedPermissionGrantPoliciesApplicableToChatScope.Select(p => p.ManagePermissionGrantsForOwnedResourcePrefixedId), @@ -328,17 +329,17 @@ await this.Client.UpdateTeamsAppSettings( if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } - // Disable preapproval configs. - IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned + // Remove all permission grant policies assigned to default user role permissions which are relevant to chat scope. + IEnumerable existingPermissionGrantPoliciesExceptChatScopePolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned .Except( assignedPermissionGrantPoliciesApplicableToChatScope.Select(p => p.ManagePermissionGrantsForOwnedResourcePrefixedId), StringComparer.OrdinalIgnoreCase); await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( - updatedPermissionGrantPolicies, + existingPermissionGrantPoliciesExceptChatScopePolicies, this, Pipeline); - WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); + WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", existingPermissionGrantPoliciesExceptChatScopePolicies)}'."); if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } } diff --git a/src/Teams/beta/custom/SetMgBetaTeamRscConfiguration_Update.cs b/src/Teams/beta/custom/SetMgBetaTeamRscConfiguration_Update.cs index 20d2c62b747..6e89731a1e7 100644 --- a/src/Teams/beta/custom/SetMgBetaTeamRscConfiguration_Update.cs +++ b/src/Teams/beta/custom/SetMgBetaTeamRscConfiguration_Update.cs @@ -282,23 +282,24 @@ await this.AddOrUpdateGroupConsentSettings( if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } - // Disable preapproval/permission grant policies applicable to Teams. - IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned + // Remove all permission grant policies assigned to default user role permissions which are relevant to team scope. + IEnumerable existingPermissionGrantPoliciesExceptTeamScopePolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned .Except( assignedPermissionGrantPoliciesApplicableToTeamScope.Select(p => p.ManagePermissionGrantsForOwnedResourcePrefixedId), StringComparer.OrdinalIgnoreCase); await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( - updatedPermissionGrantPolicies, + existingPermissionGrantPoliciesExceptTeamScopePolicies, this, Pipeline); - WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); + WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", existingPermissionGrantPoliciesExceptTeamScopePolicies)}'."); if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } } else if (this.State == MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly) { - // Enable preapproval configs. + // Remove all permission grant policies assigned to default user role permissions which are relevant to team scope and add + // Microsoft created.policy enabling pre-approvals. IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned .Except( assignedPermissionGrantPoliciesApplicableToTeamScope.Select(p => p.ManagePermissionGrantsForOwnedResourcePrefixedId), @@ -333,17 +334,17 @@ await this.AddOrUpdateGroupConsentSettings( if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } - // Disable preapproval/permission grant policies applicable to Teams. - IEnumerable updatedPermissionGrantPolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned + // Remove all permission grant policies assigned to default user role permissions which are relevant to team scope. + IEnumerable existingPermissionGrantPoliciesExceptTeamScopePolicies = authorizationPolicy.DefaultUserRolePermissions.PermissionGrantPoliciesAssigned .Except( assignedPermissionGrantPoliciesApplicableToTeamScope.Select(p => p.ManagePermissionGrantsForOwnedResourcePrefixedId), StringComparer.OrdinalIgnoreCase); await this.Client.UpdateDefaultUserRolePermissionGrantPoliciesAssigned( - updatedPermissionGrantPolicies, + existingPermissionGrantPoliciesExceptTeamScopePolicies, this, Pipeline); - WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", updatedPermissionGrantPolicies)}'."); + WriteVerbose($"Updated permission grant policies assigned to default user role: '{string.Join(", ", existingPermissionGrantPoliciesExceptTeamScopePolicies)}'."); if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; } }